The Business-Technology Weave

Did you know that an inactive credit card can be breached, and have a charge applied to it? Neither did I, but it’s just recently happened. This is alarming for a couple reasons, but before speaking directly about Capital One, and their standards of maintaining credit card account security, I’d like to review a bit:

In the IT realm, whether we call it content, data, records, storage, personal info, or anything else, we’re speaking about information – anything that has the power to inform. And content, data, etc., has the power to inform the right people… and the wrong people.

Generally, we want to inform the right people by virtue of authorization paired with the needto know. We DON’T want to inform the wrong people – those who have no legitimate need, and who may have nefarious motives. We want a strong bar in place to prevent those sorts of folks from knowing any particular thing to which they are not authorized.

Whether IT or not, information security has always been of paramount importance: Access is everything. Even in centuries past, and on through today, information was and is protected and disseminated within standards, whether on stone tablet, parchment, tape, 8″ floppy discs, etc., and on through today’s e-mail, mobile media, social networking, the Cloud, and so forth.

So what happened at Capital One? Well, their standards are remiss, for one thing:

A customer received a statement with a bill for $6.99. The charge was processed from a company called Big Fish Games. There were a couple problems, though: This particular credit consumer did not make a purchase from Big Fish Games. Further, this person didn’t have a Capital One card, although he vaguely remembered that he might have had one once upon a time.

He called Capital One and found that:

1) He had had a credit card account, and card, in the past.

2) The account was paid in full.

3) The last payment, clearing the card’s balance, was made in April of 2009.

4) The card had been shredded; Capital One inactivated the card at that time. The consumer considered the card and account “gone,” “dead,” “buried,” etc.

However, as opposed to “dead,” this account was more like a zombie, rising to somehow process that fraudulent charge in July of this year. If you think about this from an IT perspective, it’s pretty incredible.

Consider what this means: Someone got hold of this person’s account information for an inactive credit card. They got a retail outlet to process a charge, and Capital One accepted that charge – even as the card remained in an Inactive status!

The customer care agents had no explanation, other than to assure the consumer that the charge was fraudulent, would be removed, and that the account would be (again) inactivated. (I’m not sure how you inactivate an inactive account. Maybe it can be placed on double-secret probation inactivation – with apologies to Animal House). They offered the issue of a new card. However, this consumer did not want a new card, and thus declined that. Can we blame him?

What is particularly bothersome is the failure of a simple flag… a bit in the right place… a “1” or a “0” would do the trick: Don’t process any incoming charges against this Inactive account.

I think Capital One has some work to do.

Why such a small charge? Well, fraudsters frequently try a small test charge against a breached account – if it goes through, a larger one follows. Or in some cases, particularly accounts that are paid with automatic online bill pay, a fraudster can run small monthly transactions for a good amount of time before they’re noticed by the cardholder.

Fortunately for this person, he does not engage in automatic online bill pay (a few liabilities there, but most folks appreciate the convenience, efficiency, and administrative benefits).

What lessons are here for us?

Remember: In the realm of risk, unmanaged possibilities become probabilities: View all business/IT activity through a security prism – and that includes personal business and, in this case, Capital One’s IT standing. For those of you who automate your bill payments online, be certain to check all accounts frequently.

Is your organization secure?I don’t mean from a content or access perspective:I mean, is it well-positioned for the future?Do the organization and visionaries make effective plans for secure transitions to new business models, allied enablements, products, services, and deliveries?

Anyone can stumble.Let’s consider a high-profile example:Kodak filed for Chapter 11 bankruptcy protection on January 19th.This, in spite of anticipating and trying to make adjustment from film to digital imaging.One has to ask:If a company like Kodak, with its deep financial and personnel resources, can stumble and go bankrupt, can the future impact my organization in a similar way?What is it that we need to be anticipating and doing…right now… in holding a “Kodak outcome” at bay?

Innovation expert Scott Anthony, author of The Little Black Book of Innovation says, “Even an insightful company can go wrong if it doesn’t push far enough, fast enough, into uncomfortable territory.”

And it’s with that realization that we come to the mobile revolution.The mobile revolution is any organization’s – yours – “film to digital” moment.Mobile devices, with ever more robust operating systems, increased processing capabilities, and higher storage capacities – are now able to run more applications and do ever-more sophisticated things.More applications are being developed, and delivering more productivity, all the time.And, custom apps can be fitted to your exact business models and methodologies.Think about it:The organization’s overall productivity enjoys an enormous boost when folks can access, process, and deliver from virtually anywhere – worldwide.

But it’s more than that…

Total Cost of Overhead (TCO) and Time to Value (TtV) are key components in any successful business.TCO needs to be driven down, in service to keeping expense under control, which serves profit.TtV needs to be speedy:Faster development and implementations aid TCO, and quick business enablements also begin serving faster returns on investments (ROI), again in service to profit.Even non-profit environments and government agencies need lower cost, efficient implementations, and best returns.

In view of all that, consider that many organizations are capturing the ready population of existing personal mobile devices that employees already own – they’re a free capital resource.Why buy expensive laptops, tablets, smartphones, iPads, etc., if there’s an existing mobile population already in hand in the form of personally owned assets? All that’s required is a strong Bring Your Own Device (BYOD) Policy, and associated Security Policy and training.

All that’s really left is to engage a mobile solutions provider that understands change, innovation, and the streaming present/future environment.A steady partnership with a mobile innovator will be in every organization’s future.

Today, any business has to ask itself:“What is my organization’s standing in the mobile revolution?”

For this article, let’s define “business” as “the doing of the doing” – whatever it is your organization does for delivery to the outside world.You may be a private enterprise, a non/not-for-profit, a government agency, a school, and so forth.

In today’s business environment, from the Weave perspective, there are two types of organizations. Simply put: those that understand how to manage business-technology endeavors, and those that do not.

In order for the IT leader to effectively manage – to maximize that department’s support to business – the organization as a whole must be able to effectively manage IT. It’s a partnership – but a partnership that Business manages.

A frequent complaint from IT leaders (and quite a few business leaders) translates as “my organization doesn’t understand technology.” The follow-on from Business is that systems are cumbersome, don’t deliver as expected, and that IT help is frequently ineffective. A parallel IT follow-on is that senior executives, directors and managers don’t understand IT, and many simply care not to. Within these circumstances, Business and IT fail to set an example, which means that staff fails to understand, or seek how to effectively use, the technology at their disposal. The result is that many organizations don’t understand technology’s true role in the organization, and our modern responsibility within that.

On one end of the extreme is the organization that thinks of IT as a sort of glorified computer repair. Plans and success for optimal alignment between business and technology suffer here, but so too does the day-to-day. In other words, people at all levels of the organization first and foremost think of IT as a place to call when their PC acts up. Theirs is a rather benign, naïve view of the technology lever – and therefore they don’t grab that lever and use it to maximum effect. The organization does not reap the best return on its technical supports and investments. In this realm too are those that resent technology – they have an adversarial relationship with it and the people who support it. At best is a view that technology is a necessary evil of sorts – there is a diminished and delayed engagement on the planning and execution of solutions, as this engagement is viewed as a difficult, unrewarding, endeavor.

Yet, powerful enablements within various software applications – core, mission-critical apps – go unexplored.Training only goes so far:Folks must maximize use of systems through Help functions and basic exploration, as apps packages have many features that are well within Acceptable Use policies, user-security standings, and within users’ capabilities for use.

At the other extreme is the organization that “gets it” – IT occupies a place at the organization’s planning table – there’s not a relevant business decision made without IT’s knowledge, and it’s recommendation. People respect technology’s interwoven contribution, and they value the professionals who work within this important core endeavor. In these environments, people poke, explore, suggest and expand systems’ capabilities. They are more likely to self-motivate in expanding their knowledge, and in contributing to the forward momentum of their organization’s Business-Technology Weave.

Most organizations fall somewhere in the middle. No matter where your organization falls, there is always room for improvement – …the first important key is to know where you are. You cannot get where you’re trying to go if you do not know where you’re starting from. Tell me how to get to Chicago. Tell me. You must first ask me, “From where are you departing?”

In the next day or so, we will explore a simple checklist for determining where your organization IS, (in terms of culture, business-technology acumen, protocols for planning, etc.) in order to effectively plan the subsequent “destinations” of projects and deliveries.We’ll examine various positionings for implementation of new products, new training, new security measures – in accommodating, and leading, the demands a changing world makes.

Knowing where you are – where you truly are – helps you to maneuver, and helps your organization as a whole in piloting its way forward to the ultimate destination: Success.

On this day (May 23):1922 – “Daylight Saving Time” was debated in the first debate ever to be heard on radio, in Washington, DC.

Word comes that more than 500,000 Macintosh machines are potentially infected with a virus – one that is specifically targeting Macs:It’s called Flashback Trojan.The virus is a variation on one that is normally aimed at PCs – typically powered by a Microsoft (MS) Windows operating system.The PC virus has been re-engineered to slip past typical Mac defenses.

A Finnish-based computer security firm, F-Secure, first spotted and noted the virus, followed quickly with qualification by a Russian anti-virus program vendor, Dr. Web.

“All the stuff the bad guys have learned for doing attacks in the PC world is now starting to transition to the Mac world,” according to McAfee Labs Director of Threat Intelligence Dave Marcus.

Once upon a time, people who labored in the Mac realm had a rather smug view of security:Macs escaped specific targeting, it seems, and nefarious malware creators seemed to concentrate their deeds to the world of the PC.No more.While Mac’s position in the past seemed to be that they weren’t vulnerable to PC malware (true, in a specific sense), they are now vulnerable to Mac malware – as adapted to, and specifically created for, that environment.

Malware developers concentrated on Windows PCs because they dominated the market.This allowed Apple to claim that PCs were more prone to hacking:True, technically, but perhaps not so much due to any particular superiority of security of operating systems; rather, merely the luck of being a smaller target.Now that Macs are increasing in popularity, the Apple operating system is becoming a much more attractive target.

So, what should you – PC or Mac user – do?No matter your operating system of choice, be certain to protect machines with up-to-date anti-virus products.Minimize risk by avoiding the opening of unknown files, and not clicking on unsolicited links – absent the qualification of them.

The IT field, like any, is rife with people who talk a good game.Some walk like they talk – some don’t.The average candidate for your IT department will appear conversant in technical matters, they will profess a belief in quality of service principles, and of course they are brought on board with high expectations.We know that many people fall short of these expectations – in all fields and areas of endeavor.But in cases of flat-out bad IT hires, we have an enormous drain on resources.In the IT department, a sub-optimal hire compounds across the organization in a very detrimental way, since IT supports virtually the entire organization and almost every effort within.

We also know how much time and effort it takes to dismiss an employee.Often an employee must be left within a performance arena in order for us to record and document poor performance.For IT, this is a cruel irony and a ticklish game – trying to maintain security and solid support while leaving job duties in the hands of a poor performer.The associated inefficiencies brought about by increased oversight, double-checking, and counseling are their own drain – in addition to the lack of results.There is also the impact to staff morale.For these reasons, you need an IT leadership that can smoke out the true candidates worthy of hire, investment, and promotion.

These things make it imperative for your IT leader to understand something about most areas of IT technical endeavor.This person does not need to have a deep background in all areas or even specific areas. This person just needs to have a solid understanding of the principles that guide areas, and a good familiarity with the higher-level best practices for managing each area.Much of the vetting of personnel falls to the managers just under the top leadership.Therefore, top leadership needs to qualify in making those managers the best possible investment that your organization can make, as those managers groom the rest of the department.

ABritish recruitment executive making over $300,000 a year is out of a job after accidentally doing a “Reply All” by mistake to an e-mail.

Gary Chaplin was a top executive at a “headhunting” firm (emphasis on “was”) when he received an e-mail from Manos Katsampoukas.Katsampoukas had e-mailed, rather incredibly, 4,000 people a copy of his curricula vitae (CV) in seeking a finance or marketing position.

Unfortunately, Mr. Chaplin was less than professional in his response, telling Mr. Katsampoukas to “Please f*** off – you are too stupid to get a job, even in banking.”There were a few other choice words, but you get the idea.That response is enough to get sacked, in my opinion, but the reply went back to all 4,000 people Katsampoukas e-mailed initially.(Source:The Sun, UK).Oops.

Gone is Mr. Chaplin’s job of 5 years for Stark Brooks, which would seem to be a top destination for any recruiter.They handle the needs of the largest firms, such as Heinz, Kellogg’s and Bentley, in recruiting and delivering top executive talent.

And that brings us to some sage advice that’s been profiled here in the past:View every activity through a security prism.Here specifically today, consider carefully what you’re saying in an e-mail, and be sure to read it through the recipient’s eyes before hitting Send.Also, review the recipient list:Are you accidentally invoking Reply All when you really only mean to send as a Reply?Are there folks you’re copying who might be bettered served with a BCC?

Beware of BCC too:Sometimes people, particularly senior ones, view a BCC as something furtive on the part of the sender.Be certain you’re using discretion for positive communications in service to the betterment of something.Don’t junk up the inboxes of folks with BCCs that are relatively low-level beefs or petty issues.Where possible, wait a day on some e-mails – if it still seems important next-day – send it then.

When in a professional setting, be professional and remain professional.It’s hard some days (I know), but secure your job.

Security includes appropriate communications:In securing your organization’s reputation, in securing your own personal business reputation, and in securing your very job.

Small-to-Medium Business (SMB), and in many cases large enterprise environments, faces a burgeoning challenge.Namely, how to train, monitor, discipline and, in some cases, make allowance regarding employees’ use of non-work applications.

While these and other elements can have some measure of sanction in some organizations, there is also a “Wild West” situation in others, whereby unregulated use leads to unbridled time-wasting, and the opening of avenues of risk.

In fact, some employees labor to skirt all manner of domain policies, inhibiting anti-virus/malware controls, and flaunt Acceptable Use policies where utilized.

As far as avenues of risk and temptation:It’s only going to get worse, with ever-more extraneous endeavors available, and plenty of employees will inhabit non-productive, risky, activies.

It’s important to set expectations right up front.Policies for security and the acceptable use of systems should be published quarterly, and again upon significant update.All new employees must be apprised of the organization’s position regarding non-work applications and areas.

In many cases, there will be outright bars to use of social networking or random surfing.However, in many cases there will be official work accounts for Facebook, as example.Here, it’s important to state whether there is allowance as well for personal Facebook time.Be aware that employees have been documented as forgetting which social networking account they’re inhabiting, and have made inappropriate communications/postings regarding either work or personal statements to the wrong account.

No matter your organization’s mission, size, or tolerance of various non-work items:State a policy for all areas of concern.Educate employees so they know what they may and may not do.Discipline those who break rules.

Don’t wait for the inadvertent, or even deliberate, exposure of sensitive company assets to the wrong forum.Don’t wait for a debilitating decline in productivity.Make certain that HR and IT address the “do”s and “don’t”s in your regular staff meetings, and that those departments are current and questing in the case of managing non-work apps and enablements.Maintain policies with a forward eye.

JOTD:Two horses and a dog are in a barn.The older horse says to the younger horse, “Hey, tomorrow is my last race, and if I win, my owners are likely to put me to pasture and I’ll enjoy my last days in the sun.However, if I lose, they may be unhappy enough to send me to the glue factory.I think I can best all the other horses with the exception of you.Will you let me win tomorrow?It’s only one race, after all…”.

The younger horse thinks for a moment, and says, “Well, I don’t know.I’ve won all my races thus far, and I have an unblemished record.I don’t want to ruin that – plus, if I lose the race to an older horse like you, I may never recover my reputation.No, I don’t think I can do it.”

Just then the dog, who has been listening in, speaks up and says to the younger horse, “Listen to yourself!Your friend has asked you for one simple favor:To lose to him tomorrow, in order to possibly save his life.You only have to come in second for one race; you can still beat all the other horses.How about it?”

The younger horse turns to the older horse and says, “Hey, look at that… a talking dog!”

We’ve discussed password liabilities before:Consider that many people use the same password (and often User ID) for multiple accounts.This can include online bank credentials, work accounts, social networking sites, other critical sites such as ebay and PayPal…

A breaching entity can hack one account, gain credentials, and then spin them through all other associated user accounts they identify.

Of course, password liabilities also include easy-to-guess things, which are subsequently hacked – either by manual human activity, or password-breaking softwares that simply tumble random words/characters, through authentication mechanisms.This morning, while having my auto serviced, I tried “password” in trying to gain access to a couple wireless networks in the vicinity – alas, no luck – but worth a try.Consider:About 5 years ago, Slovak hackers gained access to Slovakia’s National Security Bureau (NBU).The NBU maintains a huge body of classified information, which is supposed to enjoy strong security.However, the hack and breach wasn’t particularly sophisticated:The respective login ID and password was nbu/nbu123.

Might want to put a little thought into your organization’s passwords and their associated strength:Set a minimum amount of characters, and consider making some measure of required special characters (!@%, etc.).Also, see the four basic requirements at the bottom of this article for maintaining a solid password security posture.

Well, I guess it already has.But an interesting opinion was rendered recently regarding the United States’ position regarding cyber crime. According to Trend Micro’s global CTO, Raimund Genes, the US’ lax security standards are facilitating cyber crime in the public cloud.

Cloud adoption and loose standards regarding online banking show serious security flaws, according to Genes. In fact, he states, “The US has no sense about data security, and I could be very brutal there.”

This isn’t particularly good news for those individuals and organizations who harbor their content, and even processing, in the cloud, by virtue of various solutions providers. Often, these folks have no idea exactly where their information is – relying on the providers’ discretion and standards… and whether those standards comport with current and best practice can be anyone’s guess.

When security lags in one area, it often creates a lax situation in evolving and debuting areas. For example, a looming vulnerability involves Near Field Communication (NFC) – a brief description about NFC and then an example:

NFC allows simple transactions and data exchanges between wireless devices in close proximity. It will likely support regular use of smartphones for making payments. Already many of the smartphones on the market contain NFC chips; the chips are capable of containing credit card information, and a simple wave of your phone near a retail cash register’s reader, for example, will be a fast and effective way of making payment. No more digging for, and swiping of, a credit card.

However, Genes warns of this arena too: The use of NFC by credit card companies, again in view of lax security standards and measures, is a “security disaster,” in his words.

As individuals and organizations grapple with rapidly changing IT issues, such as cloud computing and storage, and NFC communications, be certain to examine and qualify your providers and procedures. Update security policies, and update your security checks. Remember: You must lead threats, in closing vulnerabilities, and in thwarting crime.

When hiring service providers and solutions partners, be certain they’re on the most responsible security edge possible.

The Washington Post is reporting that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.

If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support:That of water, power, communications, and other essentials such as policing.

There have been many hacks and harming incidents of various scope and harm in years past, of course.However, those were squarely within the realm of information’s availability or wellness:Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.

But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization.Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past.But what of more mundane, and perhaps likely, concerns for the average organization?

Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking).What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen:Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.”It will be sport.It will be an attempt to gain mention on the daily news cycle.

Why?Because if people can do it, they generally will.

Begin with a review of your Acceptable Use policy:Make certain people in your organization are not opening security vulnerabilities.They shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address.

They also shouldn’t be posting comments to non-work-related boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization.Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive:There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.

Review all security policies, and establish a monthly or quarterly security refresher training.All actions and activities should be viewed through security’s prism.Make everyone in the organization a security officer.

About This Blog

The Business-Technology Weave is written by David Scott, an author and consultant with 30 years’ experience in helping to define business-driven IT strategies, in achieving business-serving ones. His book, I.T. WARS, became an MBA-text that has been utilized at more than 40 universities worldwide. The book and this blog define a new business-IT culture that helps to close divides, direct purpose, and achieve results through new and needed best-practice principles.